b'      DEPARTMENT OF HEALTH & HUMAN SERVICES                              Office of Inspector General\n\n\n                                                                       Washington, D.C. 20201\n\n\n\n\nJuly 12, 2010\n\nTO:             Marilyn Tavenner\n                Acting Administrator and Chief Operating Officer\n                Centers for Medicare & Medicaid Services\n\n\nFROM:           /Daniel R. Levinson/\n                Inspector General\n\n\nSUBJECT:        Review of Medicare Contractor Information Security Program Evaluations for\n                Fiscal Year 2007 (A-18-07-30291)\n\n\nThe attached final report provides the results of our Medicare contractor information security\nprogram evaluations for fiscal year 2007.\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added\ninformation security requirements for Medicare administrative contractors, fiscal intermediaries,\nand carriers to section 1874A of the Social Security Act (the Act) (42 U.S.C. \xc2\xa7 1395kk:-l).\nPursuant to section 1874A of the Act, each Medicare contractor must have its information\nsecurity program evaluated annually by an independent entity. Section 1874A of the Act further\nrequires the Inspector General, Department of Health & Human Services, to submit to Congress\nannual reports on the results of these evaluations, to include assessments of their scope and\nsufficiency.\n\nSection 8L of the Inspector General Act, 5 U.S.C. App., requires that the Office of Inspector\nGeneral (OIG) post its publicly available reports on the OIG Web site. Accordingly, this report\nwill be posted at http://oig.hhs.gov.\n\nPlease send us your final management decision, including any action plan, as appropriate, within\n60 days. If you have any questions or comments about this report, please do not hesitate to call\nme, or your staff may contact Lori S. Pilcher, Assistant Inspector General for Grants, Internal\nActivities, and Information Technology Audits, at (202) 619-1175 or through email at\nLori.Pilcher@oig.hhs.gov. Please refer to report number A-18-07-30291 in all correspondence.\n\n\nAttachment\n\x0c Department of Health & Human Services\n            OFFICE OF\n       INSPECTOR GENERAL\n\n\n\n\n     REVIEW OF MEDICARE\n   CONTRACTOR INFORMATION\nSECURITY PROGRAM EVALUATIONS\n     FOR FISCAL YEAR 2007\n\n\n\n\n                       Daniel R. Levinson\n                        Inspector General\n\n                           July 2010\n                         A-18-07-30291\n\x0c                        Office of Inspector General\n                                          http://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at http://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                   EXECUTIVE SUMMARY\n\nBACKGROUND\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added\ninformation security requirements for Medicare administrative contractors (MAC), fiscal\nintermediaries, and carriers to the Social Security Act (the Act). These contractors process and\npay Medicare fee-for-service claims. Each Medicare contractor must have its information\nsecurity program evaluated annually by an independent entity, and these evaluations must\naddress the eight major requirements enumerated in the Federal Information Security\nManagement Act of 2002 (FISMA). To comply with this provision, the Centers for Medicare &\nMedicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) to evaluate\ninformation security programs at the MACs, fiscal intermediaries, and carriers using a set of\nagreed-upon procedures.\n\nThe Act also requires evaluations of the information security controls for a subset of systems but\ndoes not specify the criteria for these evaluations. To satisfy this requirement, CMS developed\nan information security assessment methodology to test segments of the claims processing\nsystems at Medicare data centers, which operate the computer systems that process and pay\nMedicare fee-for-service claims. CMS contracted with JANUS Associates, Inc. (JANUS), to\nperform technical assessments at Medicare data centers using the assessment methodology.\n\nThe Inspector General, Department of Health & Human Services, must submit to Congress\nannual reports on the results of these evaluations, to include assessments of their scope and\nsufficiency. This report fulfills that responsibility for fiscal year (FY) 2007.\n\nOBJECTIVES\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and data center technical assessments and (2) report the results of\nthose evaluations and assessments.\n\nSUMMARY OF RESULTS\n\nPwC\xe2\x80\x99s reviews of the contractor information security program evaluations were adequate in\nscope and sufficiency. We could not determine the extent and sufficiency of the JANUS work\nfor the data center technical assessments because of several issues with its working papers. PwC\nreported a total of 112 gaps at 31 Medicare contractors. JANUS reported a total of 199 gaps at\n13 data centers.\n\nAssessment of Scope and Sufficiency\n\nPwC\xe2\x80\x99s reviews of the contractor information security program evaluations adequately\nencompassed in scope and sufficiency the eight FISMA requirements referenced in the Act.\n\n\n\n\n                                                 i\n\x0cWe could not determine the extent and sufficiency of the JANUS work for the data center\ntechnical assessments because of several issues with its working papers, such as insufficient\nevidence that all of the testing procedures had been performed, illegible handwriting and the lack\nof cross-references, and incomplete or undocumented elements. For two data centers, JANUS\neither omitted gaps identified during testing in the data centers\xe2\x80\x99 reports or inaccurately reported\nthe systems affected by gaps identified.\n\nResults of Evaluations and Assessments\n\nThe results of the contractor information security program evaluations and data center technical\nassessments are presented in terms of gaps, which are defined as the differences between FISMA\nor CMS core security requirements and the contractors\xe2\x80\x99 implementation of those requirements.\n\nResults of Contractor Information Security Program Evaluations\n\nIn the 31 PwC evaluation reports for FY 2007, which covered all MACs, fiscal intermediaries,\nand carriers, PwC identified a total of 112 gaps. The number of gaps per contractor ranged from\n0 to 21 and averaged 4. The most gaps occurred in the following FISMA control areas: testing\nof information security controls (39 gaps at 19 contractors), security program and system\nsecurity plans (21 gaps at 17 contractors), policies and procedures to reduce risk (19 gaps at 15\ncontractors), and security awareness training (17 gaps at 10 contractors).\n\nThe number of gaps reported in the PwC FY 2007 evaluation reports only increased by two when\ncompared to the results for FY 2006, while the number of contractors with no gaps decreased\nsignificantly by over 80 percent.\n\nResults of Data Center Technical Assessments\n\nThe 13 Medicare data center technical assessment reports prepared by JANUS identified a total\nof 199 gaps. The number of gaps reported per data center ranged from 6 to 35 and averaged 15.\nMost of the security gaps occurred in the following security control categories: access control\n(111 gaps at 13 data centers), configuration management (54 gaps at 11 data centers),\nidentification and authentication (15 gaps at 7 data centers), and physical and environmental\nprotection (7 gaps at 5 data centers).\n\nThe total number of gaps identified in FY 2007 (199) was 84 gaps more than the number\nidentified in FY 2006 (115). We noted decreases in two assessment categories ((1) certification,\naccreditation, and security assessments and (2) maintenance) that were tested by JANUS at all\noperational data centers in FY 2006 and FY 2007. However, we did not perform a detailed\ncomparison of the number of gaps identified within other security control categories tested for\nthe 2 FYs because these categories were not tested by JANUS at all operational data centers in\nFY 2006.\n\nOf the 199 gaps JANUS identified at the 13 data centers, 73 gaps were resolved and closed\nduring or after JANUS\xe2\x80\x99s onsite visits to the data centers. Hence, there were a total of 126 open\ngaps at data centers requiring corrective action in FY 2007.\n\n                                                ii\n\x0cRECOMMENDATIONS\n\nWe recommend that CMS:\n\n   \xe2\x80\xa2   review all contractor documentation related to future data center technical assessments\n       and ensure that the work performed complies with CMS contractual requirements\xe2\x80\x94at a\n       minimum, this should include a review of test plans to ensure that the contractor has\n       completed all required testing procedures and a review of contractor working papers to\n       verify that reported gaps have been adequately supported, identified, and included in the\n       technical assessment reports\xe2\x80\x94and\n\n   \xe2\x80\xa2   test security control areas in which a considerable number of gaps have consistently been\n       identified in the past 2 FYs (i.e., access control, configuration management, identification\n       and authentication) at all CMS Medicare data centers every year.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nIn written comments on our draft report, CMS concurred with our recommendations. CMS also\nstated that it has taken the appropriate actions to address the identified issues. We have included\nCMS\xe2\x80\x99s comments in their entirety in Appendix G.\n\n\n\n\n                                                iii\n\x0c                                                  TABLE OF CONTENTS\n\n\n                                                                                                                             Page\n\nINTRODUCTION............................................................................................................. 1\n\n          BACKGROUND .....................................................................................................1\n              The Medicare Program ................................................................................. 1\n              Medicare Prescription Drug, Improvement, and\n              Modernization Act of 2003 ........................................................................... 1\n              Centers for Medicare & Medicaid Services Evaluation Process\n              for Fiscal Year 2007...................................................................................... 2\n\n          OBJECTIVES, SCOPE, AND METHODOLOGY .................................................3\n              Objectives ..................................................................................................... 3\n              Scope ............................................................................................................. 3\n              Methodology ................................................................................................. 3\n\nRESULTS OF REVIEW .................................................................................................. 4\n\n          ASSESSMENT OF SCOPE AND SUFFICIENCY ................................................4\n\n          RESULTS OF MEDICARE CONTRACTOR INFORMATION SECURITY\n          PROGRAM EVALUATIONS.................................................................................5\n              Testing of Information Security Controls ..................................................... 6\n              Security Programs and System Security Plans ............................................. 7\n              Policies and Procedures To Reduce Risk...................................................... 8\n              Security Awareness Training ........................................................................ 8\n\n          RESULTS OF DATA CENTER TECHNICAL ASSESSMENTS .........................9\n              Access Control ............................................................................................ 12\n              Configuration Management ........................................................................ 13\n              Identification and Authentication ................................................................13\n              Physical and Environmental Protection ...................................................... 13\n\n          CONCLUSION ......................................................................................................13\n\n          RECOMMENDATIONS .......................................................................................14\n\n          CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS ..........14\n\nAPPENDIXES\n\n        A \xe2\x80\x93 ASSESSMENT OF SCOPE AND SUFFICIENCY FOR THE JANUS DATA\n           CENTER ASSESSMENTS\n\n\n\n                                                                     iv\n\x0cB \xe2\x80\x93 LIST OF GAPS BY FEDERAL INFORMATION SECURITY MANAGEMENT\n   ACT OF 2002 CONTROL AREA AND MEDICARE CONTRACTOR\n\nC \xe2\x80\x93 PERCENTAGE CHANGE IN GAPS PER MEDICARE CONTRACTOR\n\nD \xe2\x80\x93 MEDICARE CONTRACTOR CHANGE IN TOTAL GAPS BY FEDERAL\n   INFORMATION SECURITY MANAGEMENT ACT OF 2002 CONTROL AREA\n\nE \xe2\x80\x93 RESULTS OF MEDICARE CONTRACTOR EVALUATIONS FOR FEDERAL\n    INFORMATION SECURITY MANAGEMENT ACT OF 2002 CONTROL AREAS\n    WITH THE GREATEST NUMBER OF GAPS\n\nF \xe2\x80\x93 LIST OF GAPS BY NATIONAL INSTITUTE OF STANDARDS AND\n    TECHNOLOGY SECURITY CONTROL AREA AND DATA CENTER\n\nG \xe2\x80\x93 CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\n\n\n\n                             v\n\x0c                                             INTRODUCTION\n\nBACKGROUND\n\nThe Medicare Program\n\nThe Centers for Medicare & Medicaid Services (CMS) administers the Medicare program.\nMedicare is a health insurance program for people age 65 or older, people under age 65 with\ncertain disabilities, and people of all ages with end-stage renal disease. In fiscal year (FY) 2007,\nMedicare paid more than $367 billion on behalf of over 44 million program beneficiaries. CMS\ncontracts with Medicare Administrative Contractors (MAC), fiscal intermediaries, and carriers to\nadminister Medicare benefits paid on a fee-for-service basis. Many MACs, fiscal intermediaries,\nand carriers operate in-house data centers to process and pay Medicare claims, while others\nsubcontract with external data centers for this purpose.\n\nIn FY 2007, 26 distinct corporate entities served as fiscal intermediaries, carriers, or both. Four\nof these entities also served as Durable Medical Equipment MACs, and one served as a Part A/B\nMAC. Nine of the twenty-six entities also operated Medicare data centers, and four external\nentities operated the remaining four data centers. Thus, 30 distinct entities processed and paid\nMedicare fee-for-service claims.\n\nMedicare Prescription Drug, Improvement, and Modernization Act of 2003\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) added\ninformation security requirements for MACs, fiscal intermediaries, and carriers to section 1874A\nof the Social Security Act (the Act). 1 (See 42 U.S.C. \xc2\xa7 1395kk-1.) Pursuant to section\n1874A(e)(1) of the Act, each MAC, fiscal intermediary, and carrier must have its information\nsecurity program evaluated annually by an independent entity. This section requires that these\nevaluations address the eight major requirements enumerated in the Federal Information Security\nManagement Act of 2002 (FISMA). (See 44 U.S.C. \xc2\xa7 3544(b).) These requirements, referred to\nas \xe2\x80\x9cFISMA control areas\xe2\x80\x9d in this report, are:\n\n        1. periodic risk assessments,\n        2. policies and procedures to reduce risk,\n        3. security program and system security plans,\n        4. security awareness training,\n        5. testing of information security controls,\n        6. remedial actions,\n        7. incident response, and\n        8. continuity of operations planning.\n\nSection 1874A(e)(2)(A)(ii) of the Act requires that the effectiveness of information security\ncontrols be tested for an appropriate subset of Medicare contractors\xe2\x80\x99 information systems.\n\n1\n  The MMA contracting reform provisions added to section 1874A of the Act replace existing fiscal intermediaries\nand carriers with MACs, which are to be competitively selected. Until such time as the new MACs are in place, the\nrequirements of section 1874A apply to fiscal intermediaries and carriers.\n\n                                                        1\n\x0cHowever, this section does not specify the criteria for evaluating these security controls. CMS\nand its information technology (IT) security assessment provider, JANUS Associates, Inc.\n(JANUS), developed an information security assessment methodology to comply with this\nprovision.\n\nAdditionally, section 1874A(e)(2)(C)(ii) of the Act requires the Inspector General of the\nDepartment of Health & Human Services to submit to Congress annual reports on the results of\nsuch evaluations, including assessments of their scope and sufficiency. This report fulfills that\nresponsibility for FY 2007.\n\nCenters for Medicare & Medicaid Services Evaluation Process for Fiscal Year 2007\n\nCMS developed agreed-upon procedures (AUP) for the program evaluation based on the\nrequirements of section 1874A(e)(1) of the Act, FISMA, information security policy and\nguidance from the Office of Management and Budget and the National Institute of Standards and\nTechnology (NIST), and the Government Accountability Office\xe2\x80\x99s (GAO) Federal Information\nSystems Controls Audit Manual (FISCAM). The independent auditors, PricewaterhouseCoopers\n(PwC), under contract with CMS, used the AUPs to evaluate the information security programs\nat the 31 MACs, fiscal intermediaries, and carriers. The AUPs are the same as those used in\nFY 2006; however, CMS removed three subcategories for the FY 2007 evaluations because they\nwere related to Medicare claims processing software system maintainers and not Medicare\nfee-for-service contractors. PwC performed the evaluations and issued separate reports for the\n31 MACs, fiscal intermediaries, and carriers.\n\nTo comply with the section 1874A(e)(2)(A)(ii) requirement to test the effectiveness of\ninformation security controls for an appropriate subset of contractors\xe2\x80\x99 information systems, CMS\ncontracted with JANUS to plan, develop, and implement a comprehensive program to perform\ntesting of information security controls at 13 Medicare data centers. JANUS performed the\nassessments and issued separate reports for each of the 13 Medicare data centers.\n\nTable 1 summarizes the change in the number of Medicare contractors and data centers. In\nFY 2006, there were 29 Medicare contractors and 14 Medicare data centers. Changes during\nFY 2007 resulted in the testing of 31 Medicare contractors and 13 Medicare data centers.\n\n\n\n\n                                                2\n\x0c        Table 1: Change in the Number of Medicare Contractors and Data Centers\n                                                               Medicare       Medicare\n                                                              Contractors Data Centers\nEnding Balance, FY 2006                                            29           14\nLess: Entities that left the Medicare program during FY 2007        1            2\nAdd: MACs                                                           3\n                              2\nAdd: Enterprise data centers                                                     1\nBeginning Balance, FY 2007                                         31           13\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and data center technical assessments and (2) report the results of\nthose evaluations and assessments.\n\nScope\n\nWe evaluated the FY 2007 results of the independent evaluations and technical assessments of\nMedicare contractors\xe2\x80\x99 information security programs. Our review did not include an evaluation\nof internal controls. We performed our reviews of PwC and JANUS working papers at CMS\nheadquarters in Baltimore, Maryland, and at Office of Inspector General regional offices.\n\nMethodology\n\nTo accomplish our objectives, we performed the following steps:\n\n         \xe2\x80\xa2   To assess the scope of the evaluations of contractor information security programs,\n             we determined whether the AUPs included the eight FISMA control requirements.\n\n         \xe2\x80\xa2   To assess the scope of the data center technical assessments, we reviewed the contract\n             and statement of work between CMS and JANUS and verified that JANUS performed\n             the work that CMS had specified.\n\n         \xe2\x80\xa2   To assess the sufficiency of the evaluations of contractor information security\n             programs, we reviewed PwC working papers supporting the evaluation reports to\n             determine whether PwC conducted the AUPs listed in the reports. We also\n             determined whether PwC conducted the evaluations in accordance with attestation\n             engagement standards established by the American Institute of Certified Public\n             Accountants and in accordance with Government Auditing Standards. In addition, we\n             determined whether the evaluation reports encompassed the eight FISMA control\n             areas enumerated in section 1874A(e)(1) of the Act.\n2\n  As part of CMS\xe2\x80\x99s data center consolidation initiative, enterprise data centers are being used to process Medicare\nfee-for-service claims. Eventually all CMS data center operations will transition from legacy data centers to at most\nthree enterprise data centers.\n\n                                                          3\n\x0c       \xe2\x80\xa2   To assess the sufficiency of the data center technical assessments, we reviewed\n           supporting working papers to verify that JANUS completed all test procedures,\n           reported all medium- and high-risk gaps, and adequately supported all reported results\n           with sufficient and appropriate evidence.\n\n       \xe2\x80\xa2   To report on the results of the JANUS evaluations and technical assessments, we\n           aggregated the results contained in the individual contractor evaluation reports and\n           data center technical assessment reports. For the PwC evaluations, we used the\n           number of gaps listed in the individual contractor evaluation reports to aggregate the\n           results. In some instances, several gaps were noted under FISMA control\n           subcategories. We counted duplicate gaps listed in a FISMA control area only once.\n           For the JANUS assessments, we used the business risks listed in the individual\n           technical assessment reports to aggregate the results.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards, except that we did not obtain comments from JANUS or PwC. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\n                                    RESULTS OF REVIEW\n\nPwC\xe2\x80\x99s reviews of the contractor information security program evaluations were adequate in\nscope and sufficiency. We could not determine the extent and sufficiency of the JANUS work\nfor the data center technical assessments because of several issues with its working papers. PwC\nreported a total of 112 gaps at 31 Medicare contractors. JANUS reported a total of 199 gaps at\n13 data centers.\n\nASSESSMENT OF SCOPE AND SUFFICIENCY\n\nPwC\xe2\x80\x99s reviews of the contractor information security program evaluations adequately\nencompassed in scope and sufficiency the eight FISMA requirements referenced in section\n1874A(e)(1) of the Act.\n\nWe could not determine the extent and sufficiency of the JANUS work for the data center\ntechnical assessments because of several issues with its working papers. CMS\xe2\x80\x99s contract with\nJANUS provided for the planning, development, and implementation of a comprehensive\nprogram to perform testing of information security controls at Medicare data centers.\n\nThe test plan documentation supplied by JANUS for 10 of the 13 data centers (77 percent) did\nnot contain sufficient evidence that all of the testing procedures had been performed. For the test\nplans provided, JANUS did not always indicate whether it actually completed each testing\nprocedure. Additionally, for 8 of the 13 data centers (62 percent), we were unable to trace all\ngaps presented in JANUS\xe2\x80\x99s reports to supporting evidence because of illegible handwriting and\nthe lack of cross-references in the test scripts. Lastly, for 7 of the 13 data centers (54 percent),\n\n\n                                                 4\n\x0cwe were not able to determine whether JANUS included all medium- and high-risk gaps in the\nrespective data center reports because of incomplete or undocumented elements in the JANUS\nworking papers. For two data centers, JANUS either omitted gaps identified during testing in the\ndata centers\xe2\x80\x99 reports or inaccurately reported the systems affected by the gaps identified. See\nAppendix A for our analysis of the JANUS data center assessments.\n\nRESULTS OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM\nEVALUATIONS\n\nWe present the results of the Medicare contractor information security program evaluations in\nterms of gaps, which are defined as the differences between FISMA or CMS core security\nrequirements and the contractors\xe2\x80\x99 implementation of those requirements.\n\nAs shown in Table 2, the 31 evaluation reports identified a total of 112 gaps. The average\nnumber of gaps per contractor was four. The number of gaps per contractor ranged from 0 to 21\nfor FY 2007. See Appendix B for a list of gaps per control area by contractor.\n\n                       Table 2: Range of Medicare Contractor Gaps\n                                       Number of Contractors With\n                        Total                     2\xe2\x80\x935      6\xe2\x80\x939    10+\n               FY       Gaps     0 Gaps 1 Gap     Gaps    Gaps    Gaps\n              2006       110        6     3        12        7     1\n              2007       112        1     8        18        1     3\n\nThe number of gaps reported in the PwC FY 2007 evaluation reports increased by two when\ncompared to the results for FY 2006, and the number of contractors with no gaps decreased\nsignificantly by more than 80 percent. See Appendix C for the FYs 2006\xe2\x80\x932007 percentage\nchange in gaps per Medicare contractor.\n\nTable 3 summarizes the gaps found in each FISMA control area in FY 2006 and FY 2007. The\nthree FISMA control areas with an increase in gaps for FY 2007 were: (1) security awareness\ntraining, (2) security program and system security plans, and (3) continuity of operations\nplanning. (Appendix D summarizes the changes in a graph.)\n\n\n\n\n                                               5\n\x0c      Table 3: Gaps by Federal Information Security Management Act Control Area\n                                                                                 No. of\n                                                                               Contractors\n                                        Impact Levels   No. of Gaps           With One or\n                                          of FISMA       Identified           More Gap(s)\n                 FISMA                  Control Area   FY         FY         FY         FY\n              Control Area              Subcategories 2006       2007       2006       2007\n   Periodic risk assessments            High/Medium     2         1          2          1\n   Policies and procedures to reduce\n                                        High/Medium       22        19       14          15\n   risk\n   Security program and system\n                                        High/Medium       15        21       13          17\n   security plans\n   Security awareness training          High/Medium       14        17       10          10\n   Testing of information security\n                                        High/Medium       44        39       20          19\n   controls\n   Remedial actions                        Medium          2         0       2           0\n   Incident response                        High           3         3       3           3\n   Continuity of operations planning        High           8        12       7           4\n     Total                                               110       112\n\nThe Medicare contractor information security program evaluations assessed several\nsubcategories within each FISMA control area. The \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Table 3 refers to\nthe possible level of adverse impact that could result from successful exploitation of gaps in any\nof the FISMA controls area subcategories depending on the organization\xe2\x80\x99s mission and criticality\nand the sensitivity of the systems and data involved. CMS and independent auditors developed\nratings of high, medium, or low impact for the subcategories of the FISMA control areas. The\nactual ratings assigned to the subcategories were all high or medium impact and were PwC\xe2\x80\x99s\nassessments. It is important to note that the impact levels were assigned to subcategories of the\nFISMA control areas, not to individual gaps identified within the control areas or subcategories.\nIndividual gaps were assigned an overall risk level on a subjective basis by PwC after taking into\nconsideration the impact and likelihood of occurrence. However, as stated in NIST Special\nPublication (SP) 800-115, Technical Guide to Information Security Testing and Assessment, it is\ndifficult to identify the risk level of individual vulnerabilities because they rarely exist in\nisolation.\n\nThe following sections discuss the four FISMA control areas containing the most gaps. See\nAppendix E for descriptions of each subcategory tested.\n\nTesting of Information Security Controls\n\nAccording to NIST SP 800-53, Recommended Security Controls for Federal Information\nSystems, the effectiveness of information security policies, procedures, practices, and controls\nshould be tested and evaluated at least annually (or more often depending on risk). NIST\nSP 800-115 notes that security testing allows organizations to measure levels of compliance in\nareas such as patch management, password policy, and configuration management. According to\n\n                                                6\n\x0cGAO\xe2\x80\x99s FISCAM, changes to an application should be tested and approved before being put into\nproduction.\n\nTwelve of the thirty-one Medicare contractors had no identified gaps in the testing of\ninformation security controls, while the remaining 19 had 1 to 5 gaps each. In total, 39 gaps\nwere identified in this area, with 39 gaps assigned to high-impact subcategories.\n\nFollowing are examples of these gaps:\n\n   \xe2\x80\xa2   There was a lack of evidence to support the rationale, testing, and approval for system\n       changes.\n\n   \xe2\x80\xa2   An annual evaluation or audit was not performed of platform configuration management\n       procedures.\n\n   \xe2\x80\xa2   Changes to supplemental claims processing software were not tested and approved before\n       the changes were put into production.\n\nWithout a comprehensive program for periodically testing and monitoring of information\nsecurity controls, management has no assurance that appropriate safeguards are in place to\nadequately mitigate identified risks.\n\nSecurity Programs and System Security Plans\n\nNIST SP 800-100, Information Security Handbook: A Guide for Managers, states that agencies\nshould ensure their information security policy is sufficiently current to accommodate the\ninformation security environment and the agency mission and operational requirements. Federal\nInformation Processing Standards (FIPS) 200, Minimum Security Requirements for Federal\nInformation and Information Systems, and NIST SP 800-53 require organizations to screen\nemployees before granting access to information and information systems.\n\nNIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, states\nthat system security plans should provide an overview of a system\xe2\x80\x99s security requirements and\ndescribe the controls in place or planned for meeting those requirements.\n\nFourteen of the thirty-one Medicare contractors had no identified gaps in security programs and\nsystem security plans, while the remaining 17 had 1 to 3 gaps each. In total, 21 gaps were\nidentified in this area. Seven gaps were assigned to high-impact subcategories.\n\nFollowing are examples of gaps in security programs and system security plans:\n\n   \xe2\x80\xa2   The contractor did not review security policies and procedures within the previous\n       12 months.\n\n   \xe2\x80\xa2   The contractor did not complete background investigations for all selected employees\n       before they received system access.\n\n                                                7\n\x0c   \xe2\x80\xa2   The system security plan did not reflect the current conditions of the IT operating\n       environment.\n\nIf information security program requirements are not implemented and enforced, management\nhas no assurance that established system security controls will be effective in protecting valuable\nassets, such as information, hardware, software, systems, and related technology assets that\nsupport the organization\xe2\x80\x99s critical missions.\n\nPolicies and Procedures To Reduce Risk\n\nAccording to NIST SP 800-30, Risk Management Guide for Information Technology Systems,\nrisk management is the process of identifying and assessing risk and taking steps to reduce risk\nto an acceptable level. NIST SP 800-53 requires organizations to establish mandatory security\nconfiguration settings for IT products, enforce the configuration settings in all components of the\ninformation system, and promptly install newly released security-relevant patches and service\npacks.\n\nSixteen of the thirty-one Medicare contractors had no identified gaps in policies and procedures\nto reduce risk, while the remaining 15 had 1 to 3 gaps each. In total, 19 gaps were identified in\nthis area with 1 gap assigned to a high-impact subcategory. Following are examples of gaps in\npolicies and procedures to reduce risk:\n\n   \xe2\x80\xa2   Router configuration standards did not exist to adequately reduce the risk of unauthorized\n       access to sensitive CMS information.\n\n   \xe2\x80\xa2   Weaknesses were identified in the configuration standards for firewalls, Windows\n       servers, and internal network security controls. The standards were not adequate to\n       reduce the risk of unauthorized access to sensitive CMS information.\n\n   \xe2\x80\xa2   The contractor did not test security patches before they were installed into the production\n       environment.\n\nIneffective policies and procedures to reduce risk could jeopardize an organization\xe2\x80\x99s ability to\nperform its mission, as well as to safeguard its information and IT assets. Without adequate\nconfiguration standards and the latest security patches, systems may be susceptible to\nexploitation that could lead to unauthorized disclosure, modification, or nonavailability of data.\n\nSecurity Awareness Training\n\nThe Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer\nsecurity awareness and accepted computer practices for all employees who manage, use, or\noperate Federal computer systems. Additionally, Federal regulations (5 C.F.R. \xc2\xa7 930.301(a))\nrequire that role-specific training be provided based on each user\xe2\x80\x99s security responsibilities.\nFIPS 200 and NIST SP 800-53 require organizations to provide security awareness training to all\ninformation system users. Additionally, Federal regulations (5 C.F.R. \xc2\xa7 930.301(a)) require\nagencies to provide training for employees with significant information security responsibilities,\n\n                                                 8\n\x0cand the CMS Business Partners Systems Security Manual requires Medicare contractors to\ndocument and monitor information security training activities.\n\nTwenty-one of the thirty-one Medicare contractors had no identified gaps in security awareness\ntraining, while the remaining 10 had 1 to 5 gaps each. In total, 17 gaps were identified in this\narea. One gap was assigned to a high-impact subcategory.\n\nFollowing are examples of security awareness training gaps:\n\n   \xe2\x80\xa2   Security training and professional development for employees with significant security\n       responsibilities had not been documented or formally monitored.\n\n   \xe2\x80\xa2   Employees did not complete security awareness training or receive the rules of behavior.\n\nEmployees who are unaware of their security responsibilities or have not received adequate\ntraining may be at increased risk of causing or exacerbating a computer security incident. If\nsecurity personnel are not provided specific job-related training, management has no assurance\nthat these employees can effectively perform their job responsibilities. Inadequately trained\nemployees could cause the loss, destruction, or misuse of sensitive information and IT assets.\n\nRESULTS OF DATA CENTER TECHNICAL ASSESSMENTS\n\nWe present the results of the data center technical assessments in terms of gaps, which are\ndefined as the differences between FISMA or CMS core security requirements and the\ncontractors\xe2\x80\x99 implementation of those requirements. As shown in Table 4, the 13 Medicare data\ncenter technical assessment reports identified a total of 199 gaps. The average number of gaps\nper data center was 15. The number of gaps per data center ranged from 6 to 35.\n\n                             Table 4: Range of Data Center Gaps\n                                   Number of Data Centers With\n                     Total            1\xe2\x80\x935      6\xe2\x80\x9310    11\xe2\x80\x9320   21\xe2\x80\x9330             30-40\n            FY       Gaps     0 Gaps Gaps     Gaps     Gaps    Gaps              Gaps\n           2006       115        1     6         3       3       1                 0\n           2007       199        0     0         3       7       2                 1\n\nFor FY 2007, CMS contracted with JANUS to evaluate NIST security controls at the 13 data\ncenters. Overall, the FY 2007 testing addressed the following 12 NIST security control areas:\n\n\n\n\n                                                9\n\x0c   \xe2\x80\xa2   access control                                    \xe2\x80\xa2   contingency planning\n\n   \xe2\x80\xa2   configuration management                          \xe2\x80\xa2   system and information integrity\n\n   \xe2\x80\xa2   identification and authentication                 \xe2\x80\xa2   audit and accountability\n\n   \xe2\x80\xa2   physical and environmental protection             \xe2\x80\xa2   personnel security\n\n   \xe2\x80\xa2   maintenance                                       \xe2\x80\xa2   system and communications protection\n\n   \xe2\x80\xa2   certification, accreditation, and security        \xe2\x80\xa2   e-authentication\n       assessments\n\nJANUS\xe2\x80\x99s testing of the NIST security control areas included a review of policies and procedures\nand a penetration test of mainframe and distributed systems. At the enterprise data center,\nJANUS tested 18 NIST security control areas, in addition to a penetration test of mainframe and\ndistributed systems. The security controls tested were the 12 listed above plus security planning,\nrisk assessment, incident response, media protection, system and services acquisition, and\nawareness and training.\n\nJANUS assigned each of the gaps to one of the 18 security control areas. Like PwC, JANUS\ncategorized the risks associated with the individual gaps as high, medium, or low based on the\npotential impact and likelihood of exploitation. Of the 199 gaps JANUS identified across all 13\ndata centers, 21 gaps were high risk, 63 gaps were medium risk, and 115 gaps were low risk.\nSeventy-three gaps were resolved and closed during or after JANUS\xe2\x80\x99s onsite visits to the data\ncenters, including 12 high-risk gaps, 26 medium-risk gaps, and 35 low-risk gaps. Hence, there\nwere a total of 126 open gaps at data centers requiring corrective action in FY 2007.\n\nThe total number of gaps identified in FY 2007 (199) was significantly higher than the number\nidentified in FY 2006 (115), an increase of 84 gaps. We noted decreases in two assessment\ncategories ((1) certification, accreditation, and security assessments and (2) maintenance) that\nwere tested by JANUS at all operational data centers in FY 2006 and FY 2007. However, we did\nnot perform a detailed comparison of the number of gaps identified within other security control\ncategories tested for the 2 FYs because these categories were not tested by JANUS at all\noperational data centers in FY 2006. CMS uses a rotational approach in performing its technical\nassessments of data centers, where some security control categories are not tested every year.\n\nTable 5 presents the aggregate results reported for the 13 data centers, including the number of\ndata centers with high-risk gaps. Appendix F shows the number of reported gaps at each data\ncenter by security control area.\n\n\n\n\n                                                    10\n\x0c                           Table 5: Data Center Reported Gaps by\n           National Institute of Standards and Technology Security Control Area\n                                 No. of                No. of\n                                  Data    Total No.    High-      No. of    No. of\n         Security Control       Centers    of Gaps      Risk     Medium- Low-Risk\n              Area              w/ Gaps Identified     Gaps     Risk Gaps    Gaps\n      Access control                13        111           16           29         66\n      Configuration\n                                    11         54            3           27         24\n      management\n      Identification and\n                                    7          15            1            1         13\n      authentication\n      Physical and\n      environmental                 5            7           0            0          7\n      protection\n      Maintenance                   1            3           0            3          0\n      Certification,\n      accreditation, and            1            2           0            0          2\n      security assessments\n      Contingency planning          1            2           0            2          0\n      System and information\n                                    1            2           0            1          1\n      integrity\n      Audit and\n                                    1            1           1            0          0\n      accountability\n      Personnel security            1            1           0            0          1\n      System and\n      communications                1            1           0            0          1\n      protection\n        Total                                 199           21           63       115\n\nNote: For all 13 data centers reviewed, JANUS reported no gaps in the NIST security control\narea of e-authentication. For the enterprise data center reviewed for the first time in 2007,\nJANUS reported no gaps in security planning, risk assessment, incident response, media\nprotection, system and services acquisition, and awareness and training.\n\nNoteworthy from the results in the JANUS reports is that 7 of the 21 high-risk gaps (33 percent)\nwere identified at 1 of the 13 data centers. In addition, the 35 gaps reported at 1 data center\nmade up 18 percent of all identified gaps.\n\nFigure 1 uses the data from Table 5 to show the percentages of data centers with gaps (per NIST\nsecurity control area) in relation to the number of data centers tested. Gaps were identified at\nmore than one-third of data centers tested in the following NIST security control areas: access\ncontrol, configuration management, identification and authentication, and physical and\nenvironmental protection.\n\n                                               11\n\x0c            Figure 1: Percentage of Tested Data Centers to Data Centers With Gaps,\n                by National Institute of Standards and Technology Control Area\n\n\n\n\n                              l\n                             tro\n\n\n\n\n                                                               t\n                                                           en\n                          on\n\n\n\n\n                                                         em\n                      C\n                     ss\n\n\n\n\n                                                     ag\n                  ce\n\n\n\n\n                                                   an\n                Ac\n\n\n\n\n                                                  M\n                                              n\n     100%\n\n                                          a tio\n                                       ur\n                                      fig\n                                   on\n\n      90%\n\n\n\n\n                                                                                  n\n                              C\n\n\n\n\n                                                                                  io\n                                                                                at\n                                                                             tic\n                                                                          en\n      80%\n\n\n\n\n                                                                                                     n\n                                                                                                   t io\n                                                                       th\n\n\n\n\n                                                                                                 ec\n                                                                   Au\n\n\n\n\n                                                                                              ot\n                                                                   &\n\n\n\n\n                                                                                            Pr\n      70%\n                                                              n\n                                                             tio\n\n\n\n\n                                                                                          l\n                                                                                       ta\n                                                         ica\n\n\n\n\n                                                                                       en\n                                                                                     nm\n                                                       if\n                                                    nt\n\n\n\n\n      60%\n                                                                                   ro\n                                                     e\n                                                  Id\n\n\n\n\n                                                                                vi\n                                                                             En\n\n\n\n\n                                                                                                                                                                                                                  n\n                                                                           &\n\n\n\n\n                                                                                                                                                                                                                 tio\n      50%\n                                                                         l\n                                                                     ica\n\n\n\n\n                                                                                                                                                                                                               ec\n                                                                   ys\n\n\n\n\n                                                                                                                                                                                                             ot\n                                                                                                                               ts\n\n\n\n\n                                                                                                                                                                 y\n\n\n\n\n                                                                                                                                                                                                         Pr\n                                                               Ph\n\n\n\n\n                                                                                                                             en\n\n\n\n\n                                                                                                                                                            rit\n                                                                                                                                                             g\n      40%\n\n\n\n\n                                                                                                                                                                                                      ns\n                                                                                                                           m\n\n\n\n\n                                                                                                                                                          te\n\n\n\n\n                                                                                                                                                                                                    io\n                                                                                                                        ss\n\n\n\n\n                                                                                                                                                       In\n\n\n\n\n                                                                                                                                                                                                  at\n                                                                                                                      se\n\n\n\n\n                                                                                                                                                   n\n\n\n\n\n                                                                                                                                                                                                  ic\n                                                                                                                                    ng\n\n\n\n                                                                                                                                                  io\n\n\n\n                                                                                                                                                                         y\n                                                                                                                   As\n\n\n\n\n                                                                                                                                                                                                un\n                                                                                                                                                                     ilit\n                                                                                                                                               at\n                                                                                                                                 ni\n\n\n\n\n                                                                                                                                                                                  ity\n      30%\n\n\n\n\n                                                                                                                                                                 b\n\n\n\n\n                                                                                                                                                                                            m\n                                                                                                                  y\n\n\n\n                                                                                                                               an\n\n\n\n                                                                                                                                             m\n\n\n\n\n                                                                                                                                                                               ur\n                                                                                                               rit\n\n\n\n\n                                                                                                                                                              ta\n\n\n\n\n                                                                                                                                                                                            m\n                                                                                                                                               r\n                                                                                                                             Pl\n\n\n\n                                                                                                                                            fo\n\n\n\n\n                                                                                                                                                                             ec\n                                                                                                             cu\n\n\n\n\n                                                                                                                                                           un\n\n\n\n\n                                                                                                                                                                                         Co\n                                                                                                                                         In\n                                                                                          ce\n\n\n\n\n                                                                                                                        cy\n                                                                                                           Se\n\n\n\n\n                                                                                                                                                                           S\n                                                                                                                                                         co\n\n\n\n\n                                                                                                                                                                                                            n\n                                                                                                                                                                                                          io\n                                                                                       an\n\n\n\n\n                                                                                                                                      &\n\n\n\n\n                                                                                                                                                                                        &\n                                                                                                                                                                        el\n                                                                                                                         n\n\n\n\n\n                                                                                                                                                      Ac\n      20%\n\n\n\n\n                                                                                                                                                                                                        at\n                                                                                                          nd\n\n\n\n                                                                                                                      ge\n\n\n\n\n                                                                                                                                                                        n\n                                                                                                                                    em\n\n\n\n\n                                                                                                                                                                                    em\n                                                                                       en\n\n\n\n\n                                                                                                                                                                                                       tic\n                                                                                                                                                                     on\n                                                                                                                                                   &\n                                                                                                    ,a\n\n\n\n                                                                                                                  tin\n                                                                                     nt\n\n\n\n\n                                                                                                                                  st\n\n\n\n\n                                                                                                                                                                                  st\n\n\n\n\n                                                                                                                                                                                                    en\n                                                                                                                                                                 rs\n                                                                                                                                                  t\n                                                                                                 &A\n\n\n\n                                                                                                               on\n                                                                                   ai\n\n\n\n\n                                                                                                                                               di\n                                                                                                                               Sy\n\n\n\n\n                                                                                                                                                                               Sy\n                                                                                                                                                            Pe\n\n\n\n\n                                                                                                                                                                                                 th\n                                                                                                                                            Au\n                                                                                 M\n\n\n\n\n                                                                                                               C\n                                                                                               C\n\n\n\n\n                                                                                                                                                                                                Au\n      10%\n\n\n\n\n                                                                                                                                                                                            E-\n      0%\n\n\n\n\nThe following sections discuss the four security control areas for which more than one-third of\ntested data centers had gaps.\n\nAccess Control\n\nAccording to GAO\xe2\x80\x99s FISCAM, inadequate access controls diminish the reliability of\ncomputerized data and increase the risk of destruction or inappropriate disclosure of data. Gaps\nin access control create vulnerabilities in the confidentiality, integrity, and availability of\nMedicare data and systems. Associated gaps in the configuration of systems software that\ncontrol access to systems can make computers vulnerable to unauthorized access.\n\nAll 13 data centers (100 percent) tested for access control had multiple gaps. Examples of these\ngaps included the ability to read files containing personal health information on the mainframe\nsystem and archived tapes; users having unnecessary read access to sensitive system files; and\nmisconfigured and unpatched Web servers, which may allow unauthorized access.\n\n\n\n\n                                                                                                          12\n\x0cConfiguration Management\n\nGAO\xe2\x80\x99s FISCAM indicates that without proper configuration management, security features\ncould accidentally or intentionally be turned off. In addition, processing irregularities or\nmalicious code could be introduced that might allow access to sensitive data or remote control of\na system. NIST SP 800-70, Security Configuration Checklists Program for IT Products,\nidentifies the use of security configuration checklists as a way to provide a consistent approach\nto systems security and help protect against common and dangerous local and remote threats.\n\nJANUS identified multiple gaps at 11 of the 13 data centers (85 percent) tested in this area.\nExamples with high risk were the use of insecure remote access protocols; unnecessary services\nrunning on servers, which increase the risk of unauthorized access; and the use of unsupported\noperating systems on the network.\n\nIdentification and Authentication\n\nFIPS 200 and NIST SP 800-53 require organizations to develop, disseminate, and periodically\nreview or update identification and authentication policies and procedures. Authentication of an\nindividual\xe2\x80\x99s identity is a fundamental component of physical and logical access control\nprocesses. A common threat to an organization\xe2\x80\x99s servers is that sensitive information on the\nserver may be read by unauthorized individuals or changed in an unauthorized manner.\n\nSeven of thirteen data centers (54 percent) tested for identification and authentication controls\nhad gaps. Examples included user account passwords that did not comply with CMS policy,\nweak encryption keys, and the use of an older version of an authentication protocol.\n\nPhysical and Environmental Protection\n\nFIPS 200 and NIST SP 800-53 require organizations to develop, disseminate, and periodically\nreview or update physical and environmental policies and procedures, ensure only authorized\naccess to facilities and visitor access is logged, and ensure safety and environmental controls are\nin place to prevent damage to IT infrastructure assets.\n\nFive of thirteen data centers (38 percent) tested for physical and environmental protection\ncontrols had gaps. Examples included failure to follow procedures for physical access to\nfacilities, lack of logs for the removal from and delivery to the data center of IT inventory, and\nthe lack of physical protection for emergency power equipment.\n\nCONCLUSION\n\nThe work performed by PwC to evaluate contractor information security programs adequately\nencompassed the eight FISMA requirements referenced in section 1874A of the Act. Gaps\nreported during the PwC program evaluations were supported by documented evidence.\n\nHowever, we could not determine the extent and sufficiency of the JANUS work for the data\ncenter technical assessments because of several issues with its working papers. In most\n\n                                                 13\n\x0cinstances, the documentation supplied by JANUS did not provide evidence of the testing\nprocedures performed at the data centers. The documentation JANUS provided did not always\nindicate whether JANUS actually completed each testing procedure, and cross-references to\nsupporting documentation were missing for many of the test procedures. In many cases, we\nwere unable to trace gaps presented in JANUS\xe2\x80\x99s final reports to supporting evidence. Because\nthe documentation provided by JANUS did not reasonably ensure that JANUS completed the\nwork CMS engaged it to do, we could not determine whether JANUS reported all medium- or\nhigh-risk gaps and adequately supported all gaps that were included in the reports.\n\nNIST recommends that organizations assess more frequently those security controls that are the\nmost volatile or deemed critical, as well as those identified in the plans of action and milestones\nbecause these controls have been deemed to be ineffective or nonexistent.\n\nRECOMMENDATIONS\n\nWe recommend that CMS:\n\n   \xe2\x80\xa2   review all contractor documentation related to future data center technical assessments\n       and ensure that the work performed complies with CMS contractual requirements\xe2\x80\x94at a\n       minimum, this should include a review of test plans to ensure that the contractor has\n       completed all required testing procedures and a review of contractor working papers to\n       verify that reported gaps have been adequately supported, identified, and included in the\n       technical assessment reports\xe2\x80\x94and\n\n   \xe2\x80\xa2   test security control areas in which a considerable number of gaps have consistently been\n       identified in the past 2 FYs (i.e., access control, configuration management, identification\n       and authentication) at all CMS Medicare data centers every year.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nIn written comments on our draft report, CMS concurred with our recommendations. CMS also\nstated that it has taken the appropriate actions to address the identified issues. We have included\nCMS\xe2\x80\x99s comments in their entirety in Appendix G.\n\n\n\n\n                                                 14\n\x0cAPPENDIXES\n\x0c              APPENDIX A: ASSESSMENT OF SCOPE AND SUFFICIENCY\n                  FOR THE JANUS DATA CENTER ASSESSMENTS\n\n                     Office of Inspector General Criteria for Assessing\n                                  JANUS Working Papers\n                  Sufficient Evidence           Sufficient\n                  That All Work Was       Documentation for All Reported All Medium-\n    Data Center      Performed?              Reported Gaps?          and High-Risk Gaps?\n         1                Yes                      Yes                       Yes\n         2                 No                       No                   Inconclusive1\n         3                 No                       No                   Inconclusive1\n         4                Yes                      Yes                       Yes\n         5                 No                       No                       No2\n         6                 No                       No                       Yes\n         7                Yes                      Yes                       No2\n         8                 No                       No                   Inconclusive1\n         9                 No                      Yes                   Inconclusive1\n        10                 No                       No                   Inconclusive1\n        11                 No                       No                   Inconclusive1\n        12                 No                       No                   Inconclusive1\n        13                 No                      Yes                       Yes\n1\n Because of deficiencies with JANUS working papers, we were unable to determine whether\nJANUS reported all medium- and high-risk gaps.\n2\n JANUS either omitted gaps identified during testing from the data center\xe2\x80\x99s report or\ninaccurately reported the number of systems affected by the gaps identified.\n\x0c                              APPENDIX B: LIST OF GAPS BY\n                 FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n                       CONTROL AREA AND MEDICARE CONTRACTOR\n\n                                          Control Areas (With Impact Levels)\n                            Policies    Security\n                              and       Program\n              Periodic     Procedures      and      Security   Testing                          Continuity\n                Risk       To Reduce    Security   Awareness      of      Remedial   Incident      of\nMedicare     Assessments      Risk        Plans     Training   Controls    Actions   Response   Operations\nContractor     (High)        (High)      (High)      (High)     (High)    (Medium)    (High)     (High)      Total Gaps\n    1             0             0           1          0          1           0          0          0            2\n    2             0             0           1          0          0           0          0          0            1\n    3             0             1           1          1          1           0          0          0            4\n    4             0             0           1          0          0           0          0          0            1\n    5             0             0           1          0          0           0          0          0            1\n    6             0             0           0          2          2           0          0          0            4\n    7             0             1           0          0          0           0          0          0            1\n    8             0             1           0          0          1           0          0          0            2\n    9             0             0           0          0          3           0          0          1            4\n   10             0             0           0          0          3           0          0          0            3\n   11             0             1           0          0          0           0          0          0            1\n   12             0             1           1          2          1           0          0          0            5\n   13             0             2           0          0          2           0          0          0            4\n   14             0             0           0          0          1           0          0          1            2\n   15             0             1           0          1          0           0          0          0            2\n   16             0             1           3          5          5           0          0          7           21\n   17             1             2           1          0          4           0          1          3           12\n   18             0             0           1          0          0           0          0          0            1\n   19             0             0           0          0          0           0          0          0            0\n   20             0             0           0          0          1           0          0          0            1\n   21             0             0           1          0          2           0          0          0            3\n   22             0             0           1          0          0           0          0          0            1\n   23             0             0           1          0          2           0          0          0            3\n   24             0             1           3          2          3           0          1          0           10\n   25             0             1           1          0          0           0          0          0            2\n   26             0             1           0          1          2           0          1          0            5\n   27             0             1           0          0          2           0          0          0            3\n   28             0             1           0          1          0           0          0          0            2\n   29             0             0           1          1          0           0          0          0            2\n   30             0             3           1          0          2           0          0          0            6\n   31             0             0           1          1          1           0          0          0            3\n  Total           1            19          21         17         39           0          3         12          112\n\n        Note: Impact levels for Federal Information Security Management Act of 2002 (FISMA)\n        control areas were derived by PricewaterhouseCoopers by taking the highest value from among\n        the subcategories.\n\x0cAPPENDIX C: PERCENTAGE CHANGE IN GAPS PER MEDICARE CONTRACTOR\n\nContractor                FY 2006                       FY 2007               % Change\n       1                     1                             2                   100%\n       2                     0                             1                    100\n       3                     5                             4                    (20)\n       4                     0                             1                    100\n       5                     0                             1                    100\n       6                    10                             4                    (60)\n       7                     8                             1                    (88)\n       8                   N/A                             2                    N/A\n       9                     7                             4                    (43)\n      10                     5                             3                    (40)\n      11                     4                             1                    (75)\n      12                     5                             5                      0\n      13                     1                             4                    300\n      14                     2                             2                      0\n      15                     3                             2                    (33)\n      16                     6                            21                    250\n      17                     8                            12                     50\n      18                     7                             1                    (86)\n      19                     0                             0                      0\n      20                     0                             1                    100\n      21                     4                             3                    (25)\n      22                   N/A                             1                    N/A\n      23                   N/A                             3                    N/A\n      24                     9                            10                     11\n      25                     2                             2                      0\n      26                     9                             5                    (44)\n      27                     4                             3                    (25)\n      28                     2                             2                      0\n      29                     3                             2                    (33)\n      30                     0                             6                    600\n      31                     1                             3                    200\n Contractor No\n   Longer in\n   Program                    4                             -                      -\n     Total                   110                          112                    2%\n\nNote: Contractors listed as \xe2\x80\x9cN/A\xe2\x80\x9d were new Medicare Administrative Contractors in FY 2007.\nFY = fiscal year\n\x0c       APPENDIX D: MEDICARE CONTRACTOR CHANGE IN TOTAL GAPS\n      BY FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n                           CONTROL AREA\n\n\n\n\nIT = Information Technology\n\x0c                                                                                      Page 1 of 5\n\n     APPENDIX E: RESULTS OF MEDICARE CONTRACTOR EVALUATIONS\n     FOR FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n         CONTROL AREAS WITH THE GREATEST NUMBER OF GAPS\n\nThe \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Tables 1 through 4 on the following pages refers to the level of\nadverse impact that could result from successful exploitation of a vulnerability in any of the\nFISMA control areas. Impact can be described as high, medium, or low in light of the\norganization\xe2\x80\x99s mission and criticality and the sensitivity of the systems and data involved.\nPricewaterhouseCoopers assigned a rating of high or medium impact to each of the subcategories\nin the agreed-upon procedures developed by the Centers for Medicare & Medicaid Services\n(CMS). It is important to note that the impact levels were assigned to subcategories of the\nFISMA control areas, not the individual gaps identified within the control areas or subcategories.\nIndividual gaps were assigned an overall risk level on a subjective basis by\nPricewaterhouseCoopers after taking into consideration the impact and likelihood of occurrence.\n\x0c                                                                                         Page 2 of 5\n\nTESTING OF INFORMATION SECURITY CONTROLS\n\nThe Medicare contractor information security program evaluations assessed five subcategories\nrelated to the testing of information security controls. The evaluation reports identified a total of\n39 gaps in this FISMA control area.\n\n                    Table 1: Testing of Information Security Controls Gaps\n                                                        No. of Total Gaps           Subcategory\n                        Subcategory                       in This Area              Impact Level\n     Management reports exist for the review and\n     testing of information security policies and\n     procedures, including network risk assessments,\n1                                                                2                       High\n     accreditations and certifications, internal and\n     external audits, security reviews, and penetration\n     and vulnerability assessments.\n     Annual reviews and audits are conducted to\n     ensure compliance with FISMA guidance from\n     the Office of Management and Budget for\n2    reviews of security controls, including logical             6                       High\n     and physical security controls, platform\n     configuration standards, and patch management\n     controls.\n3    Change control management procedures exist.                 1                       High\n     Change control procedures are tested by\n4                                                               30                       High\n     management to ensure they are in use.\n     Remedial action is being taken for issues noted in\n5                                                                0                     Medium\n     audits.\n       Total                                                    39\n\x0c                                                                                        Page 3 of 5\n\nPOLICIES AND PROCEDURES TO REDUCE RISK\n\nThe Medicare contractor information security program evaluations assessed four subcategories\nrelated to policies and procedures to reduce risk. The evaluation reports identified a total of 19\ngaps in this FISMA control area.\n\n                   Table 2: Policies and Procedures To Reduce Risk Gaps\n                                                        No. of Total Gaps         Subcategory\n                      Subcategory                         in This Area            Impact Level\n    Systems security controls have been tested and\n1   evaluated. The system/network boundaries                     1                    High\n    have been subjected to periodic reviews/audits.\n    Documentation exists that outlines reducing the\n2   risk exposure identified in periodic risk                    0                    High\n    assessments.\n    Gaps in compliance exist based on a\n    comparison of management\xe2\x80\x99s compliance\n3                                                                0                    High\n    checklist and CMS\xe2\x80\x99s core security\n    requirements.\n    Security policies and procedures include\n4   controls to address platform security                       18                   Medium\n    configurations and patch management.\n      Total                                                     19\n\x0c                                                                                       Page 4 of 5\n\nSECURITY PROGRAM AND SYSTEM SECURITY PLANS\n\nThe Medicare contractor information security program evaluations assessed 10 subcategories\nrelated to security program and system security plans. The evaluation reports identified a total of\n21 gaps in this FISMA control area.\n\n                 Table 3: Security Program and System Security Plan Gaps\n                                                       No. of Total\n                                                       Gaps in This  Subcategory Impact\n                        Subcategory                       Area             Level\n 1   Owners and users are aware of security policies.        0              High\n 2   A security plan is documented and approved.             0              High\n 3   The plan is kept current.                               2              High\n     Management ensures that corrective actions are\n 4                                                           0              High\n     effectively implemented.\n     Security employees have adequate security\n 5                                                           5              High\n     training and expertise.\n     Hiring, transfer, termination, and performance\n 6                                                           0              High\n     policies address security.\n 7   Employee background checks are performed.               5            Medium\n     A security management structure has been\n 8                                                           0            Medium\n     established.\n     Information security responsibilities are clearly\n 9                                                           1            Medium\n     assigned.\n     Management has documented that it periodically\n     assesses the appropriateness of security policies\n10                                                           8            Medium\n     and compliance with them, including testing of\n     security policies and procedures.\n       Total                                                21\n\x0c                                                                                         Page 5 of 5\n\nSECURITY AWARENESS TRAINING\n\nThe Medicare contractor information security program evaluations assessed six subcategories\nrelated to security awareness training. The evaluation reports identified a total of 17 gaps in this\nFISMA control area.\n\n                           Table 4: Security Awareness Training Gaps\n                                                       No. of Total\n                                                      Gaps in This   Subcategory Impact\n                        Subcategory                       Area             Level\n    Annual refresher training for security is\n1                                                            1              High\n    mandatory.\n    Employees have received a copy of or have easy\n2   access to agency security procedures and                 0            Medium\n    policies.\n    Employees have received a copy of the Rules of\n3                                                            8            Medium\n    Behavior.\n    Systematic methods are used to make employees\n4                                                            0            Medium\n    aware of security (e.g., posters or booklets).\n    Security professionals have received specific\n    training for their job responsibilities, and the\n5   type and frequency of application-specific               5            Medium\n    training provided to employees and contractor\n    personnel are documented and tracked.\n    Employee training and professional\n6   development have been documented and                     3            Medium\n    formally monitored.\n      Total                                                 17\n\x0c  APPENDIX F: LIST OF GAPS BY NATIONAL INSTITUTE OF STANDARDS AND\n       TECHNOLOGY SECURITY CONTROL AREA AND DATA CENTER\n\n\n                                             Data Center\nNIST Security                                                                              Total\nControl Area         1   2    3    4    5     6      7     8     9    10   11    12   13   Gaps\n Access Control      3   9    15   8    4     20     5     3     9    7     6    6    16    111\n  Configuration\n  Management         2   2    9    3    7     12     3     4     0    0     3    5     4        54\nIdentification and\n Authentication      1   0    3    0    1     2      3     0     0    0     3    2     0        15\n  Physical and\n Environmental\n   Protection        0   1    0    0    0     0      1     1     0    0     0    2     2        7\n\n Maintenance         0   0    0    0    0     0      0     3     0    0     0    0     0        3\n Certification,\n Accreditation,\n  and Security\n  Assessments        0   0    0    0    0     0      0     0     0    0     2    0     0        2\n  Contingency\n    Planning         0   0    0    0    2     0      0     0     0    0     0    0     0        2\n   System and\n  Information\n    Integrity        0   0    0    0    0     0      2     0     0    0     0    0     0        2\n    Audit and\n Accountability      0   0    0    0    0     1      0     0     0    0     0    0     0        1\n    Personnel\n     Security        0   0    0    0    0     0      0     0     0    1     0    0     0        1\n   System and\nCommunications\n   Protection        0   0    0    0    0     0      0     1     0    0     0    0     0        1\n\n      Total          6   12   27   11   14    35    14     12    9    8    14    15   22    199\n\nNote: For all 13 data centers reviewed, JANUS reported no gaps in the NIST security control\narea of e-authentication. For the enterprise data center reviewed for the first time in 2007,\nJANUS reported no gaps in security planning, risk assessment, incident response, media\nprotection, system and services acquisition, and awareness and training.\n\nNIST = National Institute of Standards and Technology\n\x0c                                                                                                                              Page 1 of 4\n\nAPPENDIX G: CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS \n\n\n\n\n         / \'\'\'\'-   ...\n     (      ~\tDEPARTME.I\\,\'T OFHEALTH & HUMAN SERV ICES\n         "Sz\'\xc2\xad                                                                                      Ad,,,;,,;s/""/I)r\n                                                                                                    wa"\'"\'9"", OC   2!l20 1\n                                                          MAY 2 0 1010\n\n\n                         TO: \t          Daniel R. Levinson\n\n                                   ~iP~i\'G~~"\n                                    J  "" tU.LC.i..~\n                         FROM:              I - :ravenner \n\n                                        Acting dminislralor and ChiefOpernlin g Officer \n\n\n                         SUBJECT: \t Office of lnllpcctor Gencrnl (010) Draft Report -- Rcvic...\' 0/ Medic(Jre Con/ractor\n                                        Information Security Program El\'Q/UCIt/orujor Fiscal Year 2007 (A-18-07-30291)\n\n                         The CCnlcn for Medicare & Medicaid Services (eMS) appre<:iatcs the valuable feedback\n                         provided by the 010 and their audit process. We continually strive \\0 improve our oversight of\n                         Medicare contractors work ing on our behalf and we realize there is always room for\n                         improvement. Review of contractor documentation related to Sewrily Test & Evaluation\n                         (ST&\xc2\xa3) as well as testing controls where gaps have been identified in the past are two areas that\n                         we are actively working to improve. Enclosed are the eMS official comments in response to the\n                         OIG Draft Report - RC"iew ofMedicare C01!/ractor /llfomlatiOIl Security Program Evaluations\n                         for Fiscal Year 1007 (A- IS-07-30291).\n\n                         O IG Recommendatio n\n\n                         Recommend that eMS review all contractor documentation related to future data center technical\n                         assessments and ensure that the work perfonned complies with eMS contractual rC</uiremcnts\xc2\xad\n                         at a minimum, this shc>uld include a review nftest plans to ensure that the contractor has\n                         com pleted all required testing procedures and a review of contractor working papers to verify\n                         that reported gaps have been adequately supported, idenlified, and included in the tedUlica!\n                         assessment reports.\n\n                         CMS Ruponse\n\n                         The CMS agrees with the OIG recommendation. We will review all documentation rdated 10\n                         Contractor ST&E and ensure that Sile Test Plans, Working Papers, Draft Reports, Scripts, Final\n                         rcpom, etc. are reviewed thoroughly during and after completion of audits. The following list\n                         depiets Ihe reviews pcrfonned on documentation provided 10 CMS for the FY 2008 and FY 2009\n                         ST&E audits.\n\n                         The CMS Office of lnfonnation ServiceslEDCG reviews all ST&E documentation related to\n                         ST&E audits.\n\n                         For FY 2008 - ST&E contTlle\\or Janu , Associates, eMS reviewed the following:\n                                PalmellO G BA - 6 control families tested for phase 2 controls\n\x0c                                                                                                   Page 2 of 4\n\n\n\n\nPage 2 - Daniel R. Levinson\n\n       Quali ty Net - 6 control families tested for phase 2 oontrols\n       Highmark -6 control families tested for phase 2 controls\n       Verizon - 5 control families tested for phase I controls\n       BeSS Florida - 6 control families tested for phase 2 controls\n       Baltimore Data Cenler - 6 oontrol families tested plus pen test for phase I controls\n       Tulsa (EDS) Data Center - 6 control families tested for phase 2 controls\n       Plano (MeS) Data Center- 6 control families tested for phase 2 controls\n       Columbia (CDS) Data Center - 6 control fam ilies tested for phase I controls\n       NGS - 6 control families tested fo r phase 2 controls\n       Mutual ofOmaha - 6 control fami lies tested for phase 2 controls\n\n       For FY 2009 - ST&E contractor iFed LLC, eMS reviewed the following:\n       Tu lsa (EDS) - 6 control fam ilies tested for phase 3 controls (recert)\n       Columbia (CDS) Data Center - 12 control families tested for phase 2 and phase)\n       controls (recert)\n       Palmetto - 6 control fami lies tested for phase 3 controls\n       W PS (Mutual of Omaha) - 6 (:(Introl families tested for phase 3 (:(Introls\n       NGS - 6 control families tested for phase 3 controls\n       Cahaba - 6 control ramilies tested for phase I (:(Introls\n       Baltimore Data center - 6 control families tested plus pen test for phase 2 controls\n\nO IG Recommend ation\n\nTest security control areas in which a con,iderable number of gaps have consistently been\nidentified in the past 2 FYs (i.e., access control, configuration management, identification and\nauthentication) at all CMS Medicare data centers every year.\n\neMS Rg ooose-\n\nThe CMS agrees with the OIG recommendation and continues to lesl control areas .... here\ndeficiencies occurred in previous fiscal years. Control areas are selected based on the phase of\nthe audit cycle. For fiscal years 2008 and 2009, CMS concentrated on testing repeat controls for\nthe Enterprise Data Centers (HI\' Tulsa, CDS Columbia, and the Baltimore Data Caller). The\npractice o f retesting controls for problem areas in thc EDC\'s continues witb the FY eOlo ST &E\naudits. The following list depicts the controls tested in FY 2008 and FY 2009 at the remaining\nlegacy MediCllIe data Ccntcrn and the EDC\'s.\n\nContr ols Tes ted Z008:\n\nBCBS Florida, Palmetto GBA, Mutual of Omaha, Plano (MCS) Data center, Quality Net, Tulsa\n(EDS). Highmar!c., and NOS:\n       Audit and Accountability (AU) - Technical\n       Configuration Management (CM) - Operational\n       Contingency Planning (CP) - Operational\n       Planning (P L) - Management\n\x0c                                                                                               Page 3 of 4\n\n\n\n\nPage 3 - Daniel R. Levinscm\n\n       Risk Assessment (RA) - Management \n\n       System and Infonnation Integrity (51) - Operational \n\n\nColumbia Dala Center (CDS), and Baltimore Dala Center\n      Access Control (AC) - Technical\n      Identification and Authentication (IA) - Technical\n      Personal Security (PS) - Operational \xc2\xb7\n      Physical and Environmental Protection (PE) \xe2\x80\xa2 (}p4!rOlional\n      System and Communications ProtC1:tion (SC) - Technical\n\nControls Tested 2009:\n\nTulsa (EDS) Data Center, Palmetto GBA, WPS, NGS, Cahaba:\n       Awareness and Training (A1) . Operational\n       Security Assessment and Authorization (CA) - Management\n       Incident Response (IR)\xc2\xb7 Operational\n       Maintenance (MA) - Operalio1Ul/\n       Media Protection (MP) - Operational\n       System and SCl\'Viccs Acquisition (SA) - Managemem\nColumbia Data Center (CDS):\n       Awareness and Training (An - Operational\n       Audit and Accountability (AU) - Techllical\n       Security Assessment and Authorization (CA) - Maoogemellt\n       Configuration Management (CM) - OperatjOllal\n       Contingency Planning (CP) - Operational\n        ]neidcnt Response (IR) - OperatiOllal\n        Maintenance (MA) .Opera/iollal\n        Media Protection (M P)\xc2\xb7 Operatiollal\n        Planning (PLJ - Mallagemellt\n        Risk Assessment (RA)\xc2\xb7 Mallagement\n       System and Services Acquisition (SA)\xc2\xb7 Managem e/ll\n       System and lnfonnation Integrity (SI). Operalioool\n\nModified testing was perfonncd due to the A\xc2\xb7123 testing of same controls and CMS was able to\ninherit a portion of the A-123 work .\n\nBaltimore Data Center:\n       Audit and Accountability (AU) - Techllical\n       Configuration Management (CM) - Oper(J{ioll(l{\n       Contingency Planning (CP) - Operational\n       Planning (PL) \xe2\x80\xa2 Management\n       Risk Assessment (RAJ\xc2\xb7 Managemellt\n       System and Information Integrity (S]) \xe2\x80\xa2 Operational\n\x0c                                                                                               Page 4 of 4\n\n\n\n\nPage 4 - Daniel R. Levinson\n\n\nIn closing, we would like 10 thank the O IG for their recommendations and valuable feedback.\nWe look forward to working with you to improve the information security posture at eMS and\nbetter addressing the needs of those affected by our program.\n\x0c'